Decision:

Use all of the methods in rows that apply for the particular separation:

Conditions

Functions to use

No zoning architecture is in use

Use firewall functions in a reactive mode only.

The separation is between a DMZ and an internal zone

Use network address translation (NAT).

The separation is used to defend a low surety server

Use proxy servers.

The separation is between different servers in the DMZ

Use demilitarized zone (DMZ) subzones.

A zoning architecture is in use

Use access control lists (ACLs).

A layered zoning architecture is used

Use session initiation and directional controls.

The separation defends a medium or high risk zone with standard characteristics

Use stateful inspection

The separation defends a high risk zone or system

Use application-specific input and output in state controls.

The separation defends a high risk system with well-defined limited interactions

Use limited function interfaces.

Scanning through the firewall is not required from the source

Use passive deception.

Controls to allow communication between communicating zones and subzones

Basis:

Use firewall functions in a reactive mode only.

Firewalls are sometimes used purely as a response mechanisms to
assure that, in case of an incident, some control point is available.
If no zoning approach is in use, this is a reasonable use of firewalls.

Use network address translation (NAT).

The simplest and most common firewall technique is called NAT. In
NAT one external IP address is used to allow an unlimited number of
internal machines to access the Internet. This lowers ISP fees in many
cases by reducing the number of IP addresses required for the
business. It also prevents direct attack on internal computers and
allows changes of ISP to be done more quickly and easily than would
otherwise be possible. By translating all internal traffic into a
single external IP address, attackers cannot directly reach internal
computers, and this means that most Internet worms and other direct
attacks will fail.

Use demilitarized zone (DMZ) subzones.

DMZ subzones are used to partition systems within the DMZ
environment from each other so as to limit the effects of attacks on
one DMZ system on other DMZ systems.

Use proxy servers.

Proxy servers are used to rewrite datagrams, normalize content,
and perform other inspection and normalization functions, as well as
to audit and surveil content. They are particularly important when
systems they protect have inadequate controls over datagram-level
attacks or are not updated immediately upon detection of new
vulnerabilities.

Use access control lists (ACLs).

ACLs are useful for limiting the address and port pairs that can
communicate through the firewall. Any time such limits can be
reasonably put in place, they should be, since there is no legitimate
reason for unauthorized communications to take place, and limiting
them reduces the available surface area, in terms of addresses and
ports, for attack and configuration errors. when attackers try to
exploit systems after entry, this also limits their ability to explore
and exploit other systems.

Use session initiation and directional controls.

Session initiation controls are used to assure that the paths
traffic takes are properly limited to authorize information
flows. They are also effective at compensating for misconfigurations
and, when attackers try to exploit systems after entry, to limit their
ability to explore and exploit other systems.

Use stateful inspection

Stateful inspection tends to take time and overhead and has value
only when the firewall can properly interpret the state in light of
other information. For protocol-level events, such as the use of
replies when no original datagrams were sent, it is very useful in
limiting intelligence and other low-level problems, but when NAT or
other similar measures are in place, such traffic is normally limited
anyway.

Use application-specific input and output in
state controls.

Application-specific input and
output state controls are useful at mitigating the lack of adequate
controls in applications running on servers. Unless applications are
properly designed and implemented to only accept proper inputs in
proper states, such controls are likely to reduce the number of
application exploits available to the attacker. As a fundamental
notion, in order to meet this condition, input checking as a function
of state at each point where input could cause harm should be done and
only known valid inputs should be allowed to pass. At a minimum such
checks should include minimum and maximum length and allowed symbols.

Use limited function interfaces.

Limited function interfaces are primarily used when separation
would normally be required but some specific control, sensory, or
actuation mechanism is required. A typical example is a manufacturing
facility that has to send out status information from an older system
that requires requests in order to give responses, but in which those
requests need to be limited because the system cannot be upgraded to
protect against exploits. A limited function interface provides a way
to limit inputs while retaining function.

Use passive deception.

Unless there is a specific reason to allow scanning of one portion
or location of the network from another portion or location, passive
deception has essentially no cost and substantial benefit in reduced
intelligence across zones and subzones and should be applied.